I see on stable Omnia TLS 1.3 is supported in kresd. It’s enough to just have a fresh gnutls version.
This is related to one of my main points. We have a heavily used transport-security protocol already – (D)TLS. If we should maintain yet another one just for DNS, it’s much more likely to contain security flaws, either in implementation or design itself.
That is excellent indeed but it requires also the upstream node to support it, which not many do as of now
I have a dns server with dnscrypt 2 (incl sdns stamp), doh and tls (Upstream and downstream) but Mox cant connect to it !!!
[quote=“zemunonixo, post:16, topic:10449”]
Can you please address why DNS settings in luci/admin/network/dhcp or on interfaces are being ignored in favour of the default settings dropdown in forris?
[/quote] looks like Mox is “defective by design” ljelinek
For sure not via Foris and Luci’s DNS settings apply to dnsmasq but not kresd. You would need to ssh connect with Mox and manipulate the kresd setting to connect with your upstream DNS node and you should be fine.
Thanks [n8v8r] Ok now that makes sense. So luci wont affect kresd - unbelievable - I didnt realise that. It is “defective by design”
This may also explain the openvpn client dns leaks.
bye bye mox you are going in the bin. Not putting anyone else through the pain by selling you, Ive wasted enough time on you already.
You can add a new DNS by adding a new file under /etc/resolver/dns-servers
name="90_cleanbrowsing_adult.conf"
description="Clean Browsing Adult Filter (TLS)"
enable_tls="1"
port="853"
ipv4="185.228.168.10 185.228.169.11"
ipv6="2a0d:2a00:1::1 2a0d:2a00:2::1"
hostname="adult-filter-dns.cleanbrowsing.org"
#pin_sha256="G+ullr8exb9aHemu3vmI9Jwquuqe0DwnBdFHss8UfVw="
ca_file="/etc/ssl/certs/ca-certificates.crt"Not really, kresd is not available in upstream and thus there is no LuCI module, considering LuCI being a product of upstream.
I would not be so hasty with the Mox, seems like a fine product and just the UI perhaps needs some honing.
Some honing is an understatement. It’s a disaster. I guess the answer is dont use forris or luci and turn off Knot but Its just not worth the time required fighting to do that. Took me an hour to setup one openvpn client (also no package) and god knows how long on this dns issue.
Yes, clickable support for these is a request I’ve heard multiple times (though not for sdns:// or downstream). Unfortunately we’ve made this thread a bit hard to read, it’s more like heated chat.
Sorry that’s my bad. Just so angry that I wasted so much time & money. There is very limited documentation and when you see settings in luci you expect them to work. No wonder people are confused.
How is it possible that if people have been asking that hasn’t it been done? Custom DNS & VPN’s are a basic requirements.
FYI I want sdns for ios and to drop non dnscrypt traffic
Is it because the project is run like an OSS while it is selling a router and a service as a business? Is it it possible that a business should listen more to their users? We all paid very nice money to NOT have to build our own firmware and to NOT have to troubleshoot DNS/VPN/etc issues.
I for one am disappointed in the quality/stability of the software and do regret buying an Omnia because it is not saving me any time.
And what about those numerous reference from Turris’ people encouraging us to send in a pull request for the features that we need?!. I can get that for 10…20% of the cost with OpenWRT.
Fully agree. Its interesting that it’s the Knot team thats responding not the Turris team. With all due respect to Knot its cool but clearly doing things different from OpenWRT is an issue.
Saving time lol - Ive wasted hours trying to setup, not only is it not saving time its taking way more than I ever expected. I also made the mistake of getting an additional mox to use a WiFi Repeater only to find out it doesnt support WDS.
Sure its clear that with enough effort you probably can make most things work. But that isnt the expectation that is set by the price!
Now sure if that is possible, because an upgrade will overwrite some settings. Some other settings can also be overwritten by just using Foris and saving the changes, because Foris dow not expect you to change the settings. So, yeah: it is a very overpriced OpenWRT router…
That is what it sounds like. If I understand correctly to set custom DNS, vpn client etc you would need to ssh, turn off knot, set up, turn off updates and not touch forris otherwise could be overwritten. HM
No. To set custom upstream DNS servers and use DoT, you just need to create a custom configuration file as mentioned earlier in this forum. Yep, easiest way is ssh and sure, it does not support dnscrypt, namecoin or anything even more exotic. You don’t need to turn of knot, you shouldn’t turn off updates and sure, you can use Foris, actually once you create a configuration file, it is the easiest way to switch between DNS servers. Contrary to OpenWRT, updates keeps your settings intact, if they are really settings and not overwritten hals of the system. And you can use Foris as much as you want, it doesn’t touch other configuration files than what you are configuring and sometimes it doesn’t affect even all settings in there.
Use LuCI to change INPUP/OUTPUT firewall rules for the guest zone, then go to Foris and save the Guest Network config. I hit a few more things like that…
As I said
This is nice example of touching what you are configuring - you are setting up simple guest network, so it ensures it is set up in a recommended way.
Thanks Miska.
Can DoH server’s be set as a custom upstream server in the custom configuration file and
does that mean that it will appear in Forris as an option?
How can an off network device use Mox for DNS? Without DNSCRYPT-PROXY I don’t see a way to do this without making mox an open resolver. Allowing access by IP or over vpn isnt practical. @vcunat
Custom DoT server can be added like that, not sure whether and how knot supports DoH as upstream server and how configuration would look like, that is something @vcunat can probably answer.
Well, for off the network device to be able to use any service on MOX they either need to be on LAN (so VPN) or the service have to be open to the internet and somehow ACLed. In this scenario, you don’t want to open up classic DNS to the world. Maybe in theory you can setup DoH on knot on your MOX and run a http proxy with some authentication on your MOX that will forward your DoH requests to knot. But not sure whether authenticated proxy will be possible to setup in the end devices.
Just some ideas, maybe @vcunat have some more.
No, there are no immediate plans for that. In general I’d strongly encourage you to prefer DoT among the encrypted transports for DNS, towards both upstream and downstream. Serving DoH is now supported (i.e. downstream), though it’s perhaps a bit beta and you need extra lua libraries and kresd >= 4.0.0 (i.e. not on current stable Turris OS).
So far the main proponents of DoH seem to be from around web/browsers, so it’s currently used mainly in the last step from the end-client (browser/js/app) and not much further up the chain.
TLS supports client authentication as well, so that would seem the cleanest approach at a quick look, but kresd does not support that (yet), and for DoT it seems quite rarely demanded. I’m not aware of any resolver supporting DoT client authentication by certificates, but there might be some; some kind of TLS proxy might be most practical (if you want to avoid VPN), but I have basically no knowledge about these.
For many of the requests I’d say it’s like… we focus our efforts elsewhere, on features we consider more popular or useful, because it’s just not in our power at all to support everything, at least not in good quality.